If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Maybe you can tell him to send you mail with a photo from a webserver owned by you.
Then you can add a script that will log all the ips who are downloading this photo and you ll see whether someone intercepts his mail.
Then you can track the ip who viewed your photo and his mail

Well, on to your options. I think the most used technique to find a leak is by sending false information and seeing if your suspect picks up on it. This is used by even the most un-tech savvy of computer users. Putting something in an juicy or interesting in an email and then casually bringing it up later in a conversation and seeing if the suspect lets out more than you have told him.

But if the person is using some cheap online email account you can add an IP/timestamp logger to your emails. Actually, depending on how you used it, it could probably work in the best of online email accounts. Anywho, here's the gist: you make a small perl script that does the following,

open log file;
store a line like "$ENV{REMOTE_ADDR} (ip of whoever opens the email) opened the email at $timestamp\n";
close log file;

open image file;
get image file;
print image file;
close image file;

This is something i used to use and it works. But today, sites like gmail automatically block images in emails, just like outlook, unless the user clicks a link to show the images. So if that's the case, you can create an email where the main focus is the data on some graph or other interesting image that would cause the user to download the image.

I had a pretty nice program back in the day. I modified my .htaccess so that .gif extensions were associated with cgi scripts (just to add to the realness ) and i used sendmail to alert me whenever the image was triggered as well as logged everything to a file.

Good stuff, but now some root cause analysis... what is the common used way to 'hijak' an emailadres?

Thx for the input... i will razzle and dazzle them at the meeting of tommorow... for shizzl

Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum. But as far as a common used way, there is none. It's not like you can just launch stealthisaccount.exe -a bob@thecompetition.com and instantly have an account. It's more like invading a country...

Ahhh, and the hat turns black... I think account hijaking is beyond the scope of this forum.

Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.

If you have any concerns about what you might want to post, please feel free to PM me or any other Mod or Admin. We do believe in full disclosure, but it is "responsible" full disclosure.

What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.

Now, this may not even be a true "IT" issue. We could have a "mole" on the inside, his client's greed might have encouraged him (the client) to accept a "trojan horse" account (proper use of Trojan Horse there......... had to read that stuff for my ancient Greek exams )

I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special"

Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?

Keep chipping away at the boulder folks

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.

Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.

So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.

Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.

But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.

Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.

There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.

Well if that's the case then I guess it wouldn't hurt to glaze over a couple things.

Since you touched on the Trojan Horse subject, that is probably the easiest, most cut and dry way a person is going to get inside a place to take a look around without going through the sleepless weeks and efforts of a real hack. Plus it's insanely easy so even Fred who sweeps up out back behind the warehouse could do it. Be warned however, this is not advice, instructions or anything of that nature. Merely a discussion, and should you flip this around and use any of this to try anything to anyone and get caught, the law's heavy hammer will come crashing down on you.

So now, back to the trojan horse. It's very possible your client could be infected with one and not know it. Are his antivirus definitions up to date? Understand that antivirus programs only catch the bad stuff based on their signature. If you take a well known virus that every AV in the world looks for, and run it through some new packer, you change the signature of the file and voila, the AV doesn't know it's a trojan anymore. I used to play with Sub7 back in the day (didn't we all? ) and while all the AV's looked for it, I had packed it with a no-name hole-in-the-wall packer and was able to send it to friends and family undetected, just for SnG's of course It worked for a whole week before McAffe was able to detect it. Norton took another couple weeks after that. And getting someone to download something is sooOoOo easy. Gotta love horney guys. I remember a story in the news about a guy who was duped by a hacker in a chat room claiming to be a young teen. "She" sent him "revealing pictures" that let the hacker rape the retards computer and he ended up scoring passwords that led to another raping of a huge company.

Anywho, the point is, a recent survey showed that most people think they have AV or firewall protection but really don't have any protection at all. Your client could swear on a stack of bibles that he has AV, but then you could look and see that his Norton 30-day free trial that came bundled with his computer expired 2 and a half years ago and couldn't detect sober if it stabbed him in the ass.

But trojans aren't the only thing that could come into play here. A rootkit could be present that gives the other person a 24/7 pass into your computer. Try downloading Rootkit Revealer and see what happens.

Also, is there a firewall installed? What kind? If not give ZoneAlarm a try. It's free and user friendly, and should tell you when and where your packets try to sneek off to, and ask you if you want to let it happen or not.

There's tons of ways to get a trojan or rootkit into another network. Someone could have paid a disgruntled or just plain easily swayed employee to do the job for them. And if you're a fan of the Stealing the Network series, you should remember one of the guys talking about another easy way to get inside. Just burn the trojan/rootkit to a disc and have it autorun. Then toss some other worthless but seemingly interesting stuff on the disc (porn, games, sensitive-looking documents) and label it accordingly, "The Best of Heather Brooks", "Duke Nukem Forever (LEAKED!!)" or "Sales Data". Then "drop" it somewhere near the building and wait for it to phone home and deliver you a set of keys.

Guys,

The trojan/rootkit posibility has been explored, nothing has been found... we took the computers almost completly apart, sector by sector

At this moment we're looking into human aspect of this so called 'hack' and it looks like the client is just paranoid. Am just getting my facts straight, i know that attacking an emailserver needs some skill and a lot of free time...

It would mean that the attacker has an clear image of his target, is it possible to discover with a trace route wich server the sender is using?

Whilst I appreciate and applaud your concern, we do actually discuss these matters within reason. Like I am not going to post links to skiddie tools or whatever, but I have reviewed commercial stuff of this nature in the past, as have many other members.

Thx for the concern but am not intrested in de scribbiedidlydoo tools. Am more intrested in 'global' views so we can protect ourselfs against it.

Originally Posted by nihil

What our friend seems to have here is not the usual account hijacking scenario as I read things. This is a bit more along the lines of industrial/commercial espionage. Nasty, but unfortunately it happens.

It looks like (if its true) an ilaberate and well organised effort but i doubt it... to many holes in the story of the client. We just need to cover all angles.

Originally Posted by nihil

I am still waiting to see if we have a general e-mail or client specific ones. If it is the latter, we would need to know (in general) what made the target accounts "special".

General email

Originally Posted by nihil

Hell, this stuff isn't rocket science, but it is a bit difficult given our means of communication and the time differences between us all?

Your client has a customer who is a spy, and he is sending his e-mails to that account as well as all his legitimate ones.

Search for Occam's Razor or KISS

MrEsco, your client does not come across as the sharpest tool in the shed, now does he?

To put it very bluntly, how you tell him that he has **** for brains is down to you old chap

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?